[Snort-users] writing rule with uricontent keyword

Matt Kettler mkettler at ...4108...
Mon Feb 28 12:01:31 EST 2005

At 02:39 PM 2/28/2005, Jiju Menon wrote:
>I tried to get an alert with a test rule using uricontent:
>alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"yahoo.com";
>The rule seems not to detect a connection made to yahoo.com. Can
>anyone help me to get this rule working?

At casual glance, it looks OK...

As a sanity check, can you try a rule using "any any -> any 80" instead of 

You also might need http_inspect enabled for the uricontent keyword to work. 

More information about the Snort-users mailing list